In the New Fight for Online Privacy and Security, Australia Falls: What Happens Next?

With indecent speed, and after the barest nod to debate, the Australian Parliament has now passed the Assistance and Access Act, unopposed and unamended. The bill is a cousin to the United Kingdom’s Investigatory Powers Act, passed in 2016. The two laws vary in their details, but both now deliver a panoptic new power to their nation’s governments. Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.

We don’t know – because it is a state secret – whether the UK has already taken advantage of its powers, but this month we had some strong statements from GCHQ about what they plan to do with them. And because the “Five Eyes” coalition of intelligence-gathering countries have been coordinating this move for some time, we can expect Australia to shortly make the same demands.

Ian Levy, GCHQ’s Technical Director, recently posted on the Lawfare blog what GCHQ wants tech companies to do. Buried in a post full of justifications (do a search for “crocodile clips” to find the meat of the proposal, or read EFF’s Cindy Cohn’s analysis), Levy explained that GCHQ wants secure messaging services, like WhatsApp, Signal, Wire, and iMessage, to create deceitful user interfaces that hide who private messages are being sent to.

In the case of Apple’s iMessage, Apple would be compelled to silently add new devices to the list apps think you own: when someone sends you a message, it will no longer just go to, say, your iPhone, your iPad, and your MacBook – it will go to those devices, and a new addition, a spying device owned by the government.

With messaging systems like WhatsApp, the approach will be slightly different: your user interface will claim you’re in a one-on-one conversation, but behind the scenes, the company will be required to silently switch you into a group chat. Two of the people in the group chat will be you and your friend. The other will be invisible, and will be operated by the government.

The intelligence services call it “the ghost"; a stalking ghost that requires the most secure tech products available today to lie to their users, via secret orders that their designers cannot refuse without risking prosecution.

So this is the first step, after this Australian bill becomes law. We can imagine Facebook and Apple and other messaging services fighting these orders as best as they can. Big tech companies are already struggling with a profound collapse in trust among their customers; the knowledge that they may be compelled to lie to those users will only add to their problems.

But what about other services, who refuse to compromise their users’ security? What about the open source projects that will ask their Australian contributors to stop working on their security code, and businesses who will choose not to employ Australian developers, or decline to open offices in that country?

There can be only one step after you’ve compelled the big companies to agree to your back-doors, and that is to criminalize those truly secure services who prefer to follow the “laws of mathematics” instead of “the laws of Australia”.

Somewhat more quietly than the passage of the AA bill, the Australian Internet Parliament this month also voted for an expansion of the country’s already wide-ranging website blocking powers. Australia continues to work to establish another precedent: that even supposedly open and democratic states should be able to censor and filter the Internet. If the country continues to walk down this road, then it’s only a matter of time before only back-doored communication tools run by compliant multinational tech companies are permitted in Australia; and all other services and protocols will face government-mandated blocking and filtering.

That world is still only a potential future. There will be opportunities for companies, lawyers, activists, technologists, and Australian voters to keep a filtered, insecure Australian Net from becoming a dystopian reality. But this month, thanks to Australia’s lawmakers on both left and right, that reality is a giant step closer.

Related Updates

On September 13, after a five-year legal battle, the European Court of Human Rights said that the UK government’s surveillance regime—which includes the country’s mass surveillance programs, methods, laws, and judges—violated the human rights to privacy and to freedom of expression. The court’s opinion is the culmination of...

In the last few years, we’ve discovered just how much trust — whether we like it or not — we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart...

This week, the political heads of the intelligence services of Canada, New Zealand, Australia, the United Kingdom, and the United States (the "Five Eyes" alliance) met in Ottawa. The Australian delegation entered the meeting saying publicly that they intended to "thwart the encryption of terrorist messaging." The final...

This year was one of the busiest in recent memory when it comes to cryptography law in the United States and around the world. But for all the Sturm und Drang, surprisingly little actually changed in the U.S. In this post, we’ll run down the list of things that happened...

There's no question that this has been a big year for government hacking. Not a day has gone by without some mention of it in the news. 2016 may forever be remembered as the year when government hacking went so mainstream that Stephen Colbert cracked jokes about Fancy...

The FBI's demand that Apple craft new software to bypass iOS's security protections has ignited a worldwide debate about a government's ability to force tech companies to sabotage their own security. One repeated question has been: will other countries, like China, demand the same powers?
You don't...

The House of Commons Science and Tech Committee has published its report on the draft Investigatory Powers Bill, influenced by comments submitted by 50 individuals, companies, and organizations, including EFF. The report is the first of three investigations by different Parliamentary committees. While it was intended...

The spread of knowledge about the NSA's surveillance programs has shaken the trust of customers in U.S. Internet companies like Facebook, Google, and Apple: especially non-U.S. customers who have discovered how weak the legal protections over their data is under U.S. law. It should come as no surprise, then, that...

Want to know if GCHQ spied on you? Now you can find out. Privacy International (PI) has just launched a website that lets anyone find out if their communications were intercepted by the NSA and then shared with GCHQ.
The website is the result of a February 6...

Anyone interested in privacy and security should think twice about their cell phone dependence right now. That’s because today, The Intercept revealed that British spy agency GCHQ led successful efforts to hack into the internal networks of Gemalto, “the largest manufacturer of SIM cards in the world, stealing...